kinde_sdk 1.2.3 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1553814bbc9fcac3dc85f89b46680f81626d6a86771f900fae97fabe5bfb12e6
-  data.tar.gz: a6e89557f44e9483cc9d96e6ec97bcdf402d4995df2e0653ddb11be054913542
+  metadata.gz: bc5ca096d7760fdbb44aad50f80581bedad34c59961401731a46fdcfe12de6e8
+  data.tar.gz: 7c172304b38b70bb4446e25db64cd3ce98c28aadded415d32a776b82885095d5
 SHA512:
-  metadata.gz: e1110fef072979b2a720c84a468943bccef437dd477d39764b9fae8a85f78680365b40f640535bcdb37aee19652de5761dfc8a5093d6df425130754344809649
-  data.tar.gz: 3d36f72b26a3616967b19c31ac36ed465ae7bc515ef88207bf472ac621704b572de6200ebc0230580a7668b7eca9cf2923b35ef146f69843ea57f44ca6b55832
+  metadata.gz: 963aabbb2e5d9ea92c3369d127f21ea3181aa646bbf087a1e4322c7d4721f0c267a8ba0f5f55d5a1c389bdca7d75844193fa039969f6760fd0c59419e6e8897b
+  data.tar.gz: 520cd6180f22cf93041b0de2cd89898d6640c275dd4f9d8e19efa4514969b18dc4a440265ab3a1b35aa81ab0707adad6eeb45c11d7bc8ab68eb978c7bb969616

data/lib/kinde_sdk/configuration.rb

@@ -36,7 +36,7 @@ module KindeSdk
       yield(self) if block_given?
     end
 
-    def oauth_client
+    def oauth_client(client_id: @client_id, client_secret: @client_secret, domain: @domain, authorize_url: @authorize_url, token_url: @token_url )
       ::OAuth2::Client.new(
         client_id,
         client_secret,

data/lib/kinde_sdk/controllers/auth_controller.rb

@@ -0,0 +1,152 @@
+require 'action_controller'
+require 'uri'
+require 'cgi'
+require 'net/http'
+require 'json'
+require 'jwt'
+
+module KindeSdk
+  class AuthController < ActionController::Base
+    # Add before_action to validate nonce in callback
+    before_action :validate_state, only: :callback
+  
+    def auth
+      # Generate a secure random nonce
+      nonce = SecureRandom.urlsafe_base64(16)
+      
+      # Call KindeSdk.auth_url with nonce
+      auth_data = KindeSdk.auth_url(nonce: nonce)
+      
+      # Store in session
+      session[:code_verifier] = auth_data[:code_verifier] if auth_data[:code_verifier].present?
+      session[:auth_nonce] = nonce
+      session[:auth_state] = {
+        requested_at: Time.current.to_i,
+        redirect_url: auth_data[:url]
+      }
+  
+      redirect_to auth_data[:url], allow_other_host: true
+    end
+  
+    def callback
+      tokens = KindeSdk.fetch_tokens(
+        params[:code],
+        code_verifier: KindeSdk.config.pkce_enabled ? session[:code_verifier] : nil
+      ).slice(:access_token, :id_token, :refresh_token, :expires_at)
+  
+
+      # Validate nonce in ID token
+      id_token = tokens[:id_token]
+      issuer = KindeSdk.config.domain
+      client_id = KindeSdk.config.client_id
+      original_nonce = session[:auth_nonce]
+      unless validate_nonce(id_token, original_nonce, issuer, client_id)
+        Rails.logger.warn("Nonce validation failed")
+        redirect_to "/", alert: "Invalid authentication nonce"
+        return
+      end
+
+      # Store tokens and user in session
+      session[:kinde_auth] = OAuth2::AccessToken.from_hash(KindeSdk.config.oauth_client, tokens).to_hash
+        .slice(:access_token, :refresh_token, :expires_at)
+      session[:kinde_user] = KindeSdk.client(tokens).oauth.get_user.to_hash
+      
+      # Clear nonce and state after successful authentication
+      session.delete(:auth_nonce)
+      session.delete(:auth_state)
+      session.delete(:code_verifier)
+      redirect_to "/"
+    rescue StandardError => e
+      Rails.logger.error("Authentication callback failed: #{e.message}")
+      redirect_to "/", alert: "Authentication failed"
+    end
+  
+    def client_credentials_auth
+      result = KindeSdk.client_credentials_access(
+        client_id: ENV["KINDE_MANAGEMENT_CLIENT_ID"],
+        client_secret: ENV["KINDE_MANAGEMENT_CLIENT_SECRET"]
+      )
+  
+      if result["error"].present?
+        Rails.logger.error("Client credentials auth failed: #{result['error']}")
+        raise result["error"]
+      end
+  
+      $redis.set("kinde_m2m_token", result["access_token"], ex: result["expires_in"].to_i)
+      redirect_to mgmt_path
+    end
+  
+    def logout
+      redirect_to KindeSdk.logout_url, allow_other_host: true
+    end
+  
+    def logout_callback
+      reset_session
+      redirect_to "/"
+    end
+  
+    private
+  
+    def validate_state
+      # Check if nonce and state exist in session
+      unless session[:auth_nonce] && session[:auth_state]
+        Rails.logger.warn("Missing session state or nonce")
+        redirect_to "/", alert: "Invalid authentication state"
+        return
+      end
+  
+      # Verify nonce returned matches stored nonce
+      returned_state = params[:state]
+      stored_state = session[:auth_state]
+      stored_url = stored_state["redirect_url"]
+  
+      # Extract the state from the stored redirect_url
+      parsed_url = URI.parse(stored_url)
+      query_params = CGI.parse(parsed_url.query || "")
+      stored_state_from_url = query_params["state"]&.first
+
+      # Verify returned state matches the state extracted from the redirect_url
+      unless returned_state.present? && returned_state == stored_state_from_url
+        Rails.logger.warn("State validation failed: returned=#{returned_state}, expected=#{stored_state_from_url}")
+        redirect_to "/", alert: "Invalid authentication state"
+        return
+      end
+
+      # Optional: Check state age (e.g., expires after 15 minutes)
+      if Time.current.to_i - stored_state["requested_at"] > 900
+        Rails.logger.warn("Authentication state expired")
+        redirect_to "/", alert: "Authentication session expired"
+        return
+      end
+    end
+
+
+    def validate_nonce(id_token, original_nonce, issuer, client_id)
+      jwks_uri = URI.parse("#{issuer}/.well-known/jwks.json")
+      jwks_response = Net::HTTP.get(jwks_uri)
+      jwks = JSON.parse(jwks_response)
+    
+      decoded_token = JWT.decode(
+        id_token,
+        nil,
+        true,
+        algorithm: 'RS256',
+        iss: issuer,
+        aud: client_id,
+        verify_iss: true,
+        verify_aud: true,
+        jwks: { keys: jwks['keys'] }
+      )
+    
+      payload = decoded_token[0]
+      nonce_from_token = payload['nonce']
+      
+      nonce_from_token == original_nonce
+    rescue StandardError => e
+      Rails.logger.error("Nonce validation error: #{e.message}")
+      false
+    end
+    
+    
+  end
+end

data/lib/kinde_sdk/version.rb

@@ -1,3 +1,3 @@
 module KindeSdk
-  VERSION = "1.2.3"
+  VERSION = "1.3.1"
 end

data/lib/kinde_sdk.rb

@@ -1,9 +1,10 @@
+require "logger"
 require "kinde_sdk/version"
 require "kinde_sdk/configuration"
 require "kinde_sdk/client/feature_flags"
 require "kinde_sdk/client/permissions"
+require "kinde_sdk/controllers/auth_controller"
 require "kinde_sdk/client"
-
 require 'securerandom'
 require 'oauth2'
 require 'pkce_challenge'
@@ -27,18 +28,33 @@ module KindeSdk
     # receive url for authorization in Kinde itself
     #
     # @return [Hash]
-    def auth_url(redirect_uri: @config.callback_url, **kwargs)
+    def auth_url(
+      client_id: @config.client_id,
+      client_secret: @config.client_secret,
+      domain: @config.domain,
+      redirect_uri: @config.callback_url,
+       **kwargs)
       params = {
         redirect_uri: redirect_uri,
         state: SecureRandom.hex,
-        scope: @config.scope
+        scope: @config.scope,
       }.merge(**kwargs)
-      return { url: @config.oauth_client.auth_code.authorize_url(params) } unless @config.pkce_enabled
+      return { url: @config.oauth_client(
+        client_id: client_id,
+        client_secret: client_secret,
+        domain: domain,
+        authorize_url: "#{domain}/oauth2/auth",
+        token_url: "#{domain}/oauth2/token").auth_code.authorize_url(params) } unless @config.pkce_enabled
 
       pkce_challenge = PkceChallenge.challenge(char_length: 128)
       params.merge!(code_challenge_method: 'S256', code_challenge: pkce_challenge.code_challenge)
       {
-        url: @config.oauth_client.auth_code.authorize_url(params),
+        url: @config.oauth_client(
+          client_id: client_id,
+          client_secret: client_secret,
+          domain: domain,
+          authorize_url: "#{domain}/oauth2/auth",
+          token_url: "#{domain}/oauth2/token").auth_code.authorize_url(params),
         code_verifier: pkce_challenge.code_verifier
       }
     end
@@ -46,14 +62,34 @@ module KindeSdk
     # when callback processor receives code, it needs to be used for fetching bearer token
     #
     # @return [Hash]
-    def fetch_tokens(params_or_code, code_verifier: nil, redirect_uri: @config.callback_url)
-      code = params_or_code.kind_of?(Hash) ? params.fetch("code") : params_or_code
+    def fetch_tokens(
+      params_or_code, 
+      client_id: @config.client_id,
+      client_secret: @config.client_secret,
+      domain: @config.domain,
+      code_verifier: nil,
+      redirect_uri: @config.callback_url)
+      code = params_or_code.kind_of?(Hash) ? params_or_code.fetch("code") : params_or_code
       params = {
         redirect_uri: redirect_uri,
         headers: { 'User-Agent' => "Kinde-SDK: Ruby/#{KindeSdk::VERSION}" }
       }
       params[:code_verifier] = code_verifier if code_verifier
-      @config.oauth_client.auth_code.get_token(code.to_s, params).to_hash
+      token = @config.oauth_client(
+        client_id: client_id,
+        client_secret: client_secret,
+        domain: domain,
+        authorize_url: "#{domain}/oauth2/auth",
+        token_url: "#{domain}/oauth2/token").auth_code.get_token(code.to_s, params)
+
+      {
+        access_token: token.token,           # The access token
+        id_token: token.params['id_token'],  # The ID token from params
+        expires_at: token.expires_at,        # Optional: expiration time
+        refresh_token: token.refresh_token,   # Optional: if present
+        scope: token.params['scope'],        # The scopes requested
+        token_type: token.params['token_type'] # The token type
+      }.compact
     end
 
     # tokens_hash #=>
@@ -66,39 +102,60 @@ module KindeSdk
     #
     # @return [KindeSdk::Client]
     def client(tokens_hash)
-      sdk_api_client = api_client(tokens_hash["access_token"])
+      sdk_api_client = api_client(tokens_hash[:access_token] || tokens_hash["access_token"])
       KindeSdk::Client.new(sdk_api_client, tokens_hash, @config.auto_refresh_tokens)
     end
 
-    def logout_url
-      query = @config.logout_url ? URI.encode_www_form(redirect: @config.logout_url) : nil
-      host = URI::parse(@config.domain).host
+    def logout_url(logout_url: @config.logout_url, domain: @config.domain)
+      query = logout_url ? URI.encode_www_form(redirect: logout_url) : nil
+      host = URI::parse(domain).host
       URI::HTTP.build(host: host, path: '/logout', query: query).to_s
     end
 
     def client_credentials_access(
       client_id: @config.client_id,
       client_secret: @config.client_secret,
-      audience: "#{@config.domain}/api"
+      audience: "#{@config.domain}/api",
+      domain: @config.domain
     )
-      Faraday.new(url: @config.domain) do |faraday|
+      Faraday.new(url: domain) do |faraday|
         faraday.response :json
         faraday.use Faraday::FollowRedirects::Middleware
       end
-        .post(@config.token_url) do |req|
+        .post("#{domain}/oauth2/token") do |req|
         req.headers[:content_type] = 'application/x-www-form-urlencoded'
         req.body =
           "grant_type=client_credentials&client_id=#{client_id}&client_secret=#{client_secret}&audience=#{audience}"
       end.body
     end
 
-    def token_expired?(hash)
-      OAuth2::AccessToken.from_hash(@config.oauth_client, hash).expired?
+    def token_expired?(hash,
+      client_id: @config.client_id,
+      client_secret: @config.client_secret,
+      audience: "#{@config.domain}/api",
+      domain: @config.domain
+    )
+      OAuth2::AccessToken.from_hash(@config.oauth_client(
+        client_id: client_id, 
+        client_secret: client_secret,
+        domain: domain,
+        authorize_url: "#{domain}/oauth2/auth",
+        token_url: "#{domain}/oauth2/token"), hash).expired?
     end
 
     # @return [Hash]
-    def refresh_token(hash)
-      OAuth2::AccessToken.from_hash(@config.oauth_client, hash).refresh.to_hash
+    def refresh_token(hash,
+      client_id: @config.client_id,
+      client_secret: @config.client_secret,
+      audience: "#{@config.domain}/api",
+      domain: @config.domain
+    )
+      OAuth2::AccessToken.from_hash(@config.oauth_client(
+        client_id: client_id, 
+        client_secret: client_secret,
+        domain: domain,
+        authorize_url: "#{domain}/oauth2/auth",
+        token_url: "#{domain}/oauth2/token"), hash).refresh.to_hash
     end
 
     # init sdk api client by bearer token

data/spec/kinde_sdk_spec.rb

@@ -74,20 +74,20 @@ describe KindeSdk do
         )
         .to_return(
           status: 200,
-          body: { "access_token": "eyJ", "expires_in": 86399, "scope": "", "token_type": "bearer" }.to_json,
+          body: { "access_token": "eyJ", "id_token": "test", "refresh_token": "test","expires_in": 86399, "scope": "", "token_type": "bearer" }.to_json,
           headers: { "content-type" => "application/json;charset=UTF-8" }
         )
     end
 
     it "calls /token url with proper body and headers" do
-      expect(described_class.fetch_tokens(code).keys).to eq(%w[scope token_type access_token refresh_token expires_at])
+      expect(described_class.fetch_tokens(code).keys.map(&:to_s)).to eq(%w[access_token id_token expires_at refresh_token scope token_type])
     end
 
     context "with redefined callback_url" do
       let(:callback_url) { "another-callback" }
 
       it "calls /token url with proper body and headers" do
-        expect(described_class.fetch_tokens(code).keys.size).to eq(5)
+        expect(described_class.fetch_tokens(code).keys.size).to eq(6)
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kinde_sdk
 version: !ruby/object:Gem::Version
-  version: 1.2.3
+  version: 1.3.1
 platform: ruby
 authors:
 - Kinde Australia Pty Ltd
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-15 00:00:00.000000000 Z
+date: 2025-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: typhoeus
@@ -76,22 +76,22 @@ dependencies:
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.6.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.6.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.6.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.6.0
 description: Integrate the Kinde API into any ruby-based applications, Rails or non-Rails
 email:
 - support@kinde.com
@@ -422,6 +422,7 @@ files:
 - lib/kinde_sdk/client/feature_flags.rb
 - lib/kinde_sdk/client/permissions.rb
 - lib/kinde_sdk/configuration.rb
+- lib/kinde_sdk/controllers/auth_controller.rb
 - lib/kinde_sdk/version.rb
 - spec/kinde_sdk_spec.rb
 - spec/spec_helper.rb
@@ -429,7 +430,7 @@ homepage: https://kinde.com/
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -445,116 +446,116 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Kinde Management API Ruby Gem
 test_files:
 - spec/kinde_sdk_spec.rb
 - spec/spec_helper.rb
-- kinde_api/spec/api/permissions_api_spec.rb
-- kinde_api/spec/api/o_auth_api_spec.rb
-- kinde_api/spec/api/organizations_api_spec.rb
-- kinde_api/spec/api/business_api_spec.rb
-- kinde_api/spec/api/applications_api_spec.rb
 - kinde_api/spec/api/subscribers_api_spec.rb
-- kinde_api/spec/api/timezones_api_spec.rb
-- kinde_api/spec/api/connected_apps_api_spec.rb
+- kinde_api/spec/api/apis_api_spec.rb
 - kinde_api/spec/api/callbacks_api_spec.rb
 - kinde_api/spec/api/environments_api_spec.rb
-- kinde_api/spec/api/apis_api_spec.rb
-- kinde_api/spec/api/roles_api_spec.rb
-- kinde_api/spec/api/users_api_spec.rb
 - kinde_api/spec/api/feature_flags_api_spec.rb
+- kinde_api/spec/api/roles_api_spec.rb
 - kinde_api/spec/api/industries_api_spec.rb
+- kinde_api/spec/api/permissions_api_spec.rb
+- kinde_api/spec/api/timezones_api_spec.rb
+- kinde_api/spec/api/business_api_spec.rb
+- kinde_api/spec/api/users_api_spec.rb
+- kinde_api/spec/api/applications_api_spec.rb
+- kinde_api/spec/api/o_auth_api_spec.rb
+- kinde_api/spec/api/organizations_api_spec.rb
+- kinde_api/spec/api/connected_apps_api_spec.rb
 - kinde_api/spec/api_client_spec.rb
 - kinde_api/spec/configuration_spec.rb
-- kinde_api/spec/models/error_spec.rb
-- kinde_api/spec/models/create_application_response_spec.rb
-- kinde_api/spec/models/organization_user_role_permissions_permissions_spec.rb
-- kinde_api/spec/models/create_user_request_identities_inner_details_spec.rb
-- kinde_api/spec/models/update_api_applications_request_applications_inner_spec.rb
-- kinde_api/spec/models/apis_spec.rb
-- kinde_api/spec/models/users_response_users_inner_spec.rb
-- kinde_api/spec/models/create_organization_request_spec.rb
-- kinde_api/spec/models/api_applications_inner_spec.rb
-- kinde_api/spec/models/get_redirect_callback_urls_response_spec.rb
-- kinde_api/spec/models/get_organizations_user_roles_response_spec.rb
-- kinde_api/spec/models/error_response_spec.rb
-- kinde_api/spec/models/get_organizations_response_spec.rb
-- kinde_api/spec/models/permissions_spec.rb
-- kinde_api/spec/models/subscribers_subscriber_spec.rb
-- kinde_api/spec/models/get_organizations_user_permissions_response_spec.rb
+- kinde_api/spec/models/create_organization_response_organization_spec.rb
+- kinde_api/spec/models/organization_user_permission_spec.rb
+- kinde_api/spec/models/create_organization_user_role_request_spec.rb
+- kinde_api/spec/models/create_permission_request_spec.rb
+- kinde_api/spec/models/update_organization_users_response_spec.rb
 - kinde_api/spec/models/logout_redirect_urls_spec.rb
 - kinde_api/spec/models/api_result_spec.rb
-- kinde_api/spec/models/create_subscriber_success_response_subscriber_spec.rb
-- kinde_api/spec/models/api_spec.rb
-- kinde_api/spec/models/create_role_request_spec.rb
-- kinde_api/spec/models/organization_user_permission_spec.rb
+- kinde_api/spec/models/add_organization_users_response_spec.rb
+- kinde_api/spec/models/create_application_request_spec.rb
+- kinde_api/spec/models/redirect_callback_urls_spec.rb
+- kinde_api/spec/models/organization_spec.rb
+- kinde_api/spec/models/replace_redirect_callback_urls_request_spec.rb
+- kinde_api/spec/models/users_response_spec.rb
+- kinde_api/spec/models/role_spec.rb
 - kinde_api/spec/models/user_identity_spec.rb
-- kinde_api/spec/models/update_environement_feature_flag_override_request_spec.rb
-- kinde_api/spec/models/get_subscriber_response_spec.rb
+- kinde_api/spec/models/update_role_permissions_request_permissions_inner_spec.rb
+- kinde_api/spec/models/connected_apps_access_token_spec.rb
+- kinde_api/spec/models/update_organization_users_request_spec.rb
+- kinde_api/spec/models/get_applications_response_spec.rb
+- kinde_api/spec/models/update_user_request_spec.rb
+- kinde_api/spec/models/create_user_request_profile_spec.rb
 - kinde_api/spec/models/get_environment_feature_flags_response_spec.rb
-- kinde_api/spec/models/applications_spec.rb
-- kinde_api/spec/models/token_error_response_spec.rb
-- kinde_api/spec/models/create_application_response_application_spec.rb
-- kinde_api/spec/models/update_role_permissions_request_spec.rb
-- kinde_api/spec/models/roles_permission_response_inner_spec.rb
-- kinde_api/spec/models/get_organization_feature_flags_response_spec.rb
-- kinde_api/spec/models/roles_spec.rb
-- kinde_api/spec/models/get_organization_users_response_spec.rb
-- kinde_api/spec/models/organization_user_spec.rb
-- kinde_api/spec/models/organization_user_role_permissions_spec.rb
-- kinde_api/spec/models/create_organization_user_permission_request_spec.rb
-- kinde_api/spec/models/users_response_spec.rb
-- kinde_api/spec/models/organization_spec.rb
+- kinde_api/spec/models/subscribers_subscriber_spec.rb
+- kinde_api/spec/models/get_organizations_response_spec.rb
+- kinde_api/spec/models/create_user_request_identities_inner_spec.rb
+- kinde_api/spec/models/api_spec.rb
+- kinde_api/spec/models/get_application_response_application_spec.rb
 - kinde_api/spec/models/subscriber_spec.rb
-- kinde_api/spec/models/update_api_applications_request_spec.rb
-- kinde_api/spec/models/create_organization_user_role_request_spec.rb
-- kinde_api/spec/models/create_application_request_spec.rb
-- kinde_api/spec/models/update_user_response_spec.rb
-- kinde_api/spec/models/add_organization_users_request_spec.rb
-- kinde_api/spec/models/update_role_permissions_request_permissions_inner_spec.rb
 - kinde_api/spec/models/connected_apps_auth_url_spec.rb
-- kinde_api/spec/models/update_organization_users_response_spec.rb
 - kinde_api/spec/models/add_apis_request_spec.rb
-- kinde_api/spec/models/user_identities_inner_spec.rb
+- kinde_api/spec/models/create_user_request_identities_inner_details_spec.rb
+- kinde_api/spec/models/organization_user_spec.rb
+- kinde_api/spec/models/roles_spec.rb
+- kinde_api/spec/models/get_subscriber_response_spec.rb
+- kinde_api/spec/models/roles_permission_response_inner_spec.rb
+- kinde_api/spec/models/apis_spec.rb
+- kinde_api/spec/models/create_application_response_application_spec.rb
+- kinde_api/spec/models/update_application_request_spec.rb
+- kinde_api/spec/models/get_organizations_user_permissions_response_spec.rb
+- kinde_api/spec/models/update_environement_feature_flag_override_request_spec.rb
 - kinde_api/spec/models/create_feature_flag_request_spec.rb
 - kinde_api/spec/models/update_roles_request_spec.rb
-- kinde_api/spec/models/replace_logout_redirect_urls_request_spec.rb
-- kinde_api/spec/models/create_user_request_profile_spec.rb
-- kinde_api/spec/models/redirect_callback_urls_spec.rb
+- kinde_api/spec/models/token_introspect_spec.rb
 - kinde_api/spec/models/get_permissions_response_spec.rb
-- kinde_api/spec/models/update_organization_users_request_spec.rb
-- kinde_api/spec/models/create_user_request_spec.rb
-- kinde_api/spec/models/user_identity_result_spec.rb
-- kinde_api/spec/models/update_user_request_spec.rb
+- kinde_api/spec/models/create_organization_user_permission_request_spec.rb
+- kinde_api/spec/models/update_role_permissions_request_spec.rb
+- kinde_api/spec/models/create_user_response_spec.rb
+- kinde_api/spec/models/user_profile_v2_spec.rb
+- kinde_api/spec/models/token_error_response_spec.rb
+- kinde_api/spec/models/update_api_applications_request_applications_inner_spec.rb
+- kinde_api/spec/models/get_redirect_callback_urls_response_spec.rb
 - kinde_api/spec/models/get_organization_feature_flags_response_feature_flags_value_spec.rb
-- kinde_api/spec/models/get_application_response_spec.rb
-- kinde_api/spec/models/create_subscriber_success_response_spec.rb
-- kinde_api/spec/models/connected_apps_access_token_spec.rb
-- kinde_api/spec/models/create_organization_response_spec.rb
-- kinde_api/spec/models/create_organization_response_organization_spec.rb
-- kinde_api/spec/models/create_permission_request_spec.rb
-- kinde_api/spec/models/update_organization_request_spec.rb
-- kinde_api/spec/models/update_application_request_spec.rb
-- kinde_api/spec/models/get_applications_response_spec.rb
 - kinde_api/spec/models/organization_user_permission_roles_inner_spec.rb
-- kinde_api/spec/models/update_organization_users_request_users_inner_spec.rb
-- kinde_api/spec/models/add_organization_users_response_spec.rb
-- kinde_api/spec/models/get_roles_response_spec.rb
-- kinde_api/spec/models/create_user_response_spec.rb
-- kinde_api/spec/models/update_role_permissions_response_spec.rb
-- kinde_api/spec/models/replace_redirect_callback_urls_request_spec.rb
-- kinde_api/spec/models/user_spec.rb
-- kinde_api/spec/models/role_spec.rb
 - kinde_api/spec/models/success_response_spec.rb
+- kinde_api/spec/models/get_organization_feature_flags_response_spec.rb
+- kinde_api/spec/models/permissions_spec.rb
 - kinde_api/spec/models/organization_user_role_spec.rb
-- kinde_api/spec/models/get_application_response_application_spec.rb
-- kinde_api/spec/models/user_profile_spec.rb
-- kinde_api/spec/models/create_user_request_identities_inner_spec.rb
+- kinde_api/spec/models/organization_user_role_permissions_spec.rb
+- kinde_api/spec/models/error_response_spec.rb
+- kinde_api/spec/models/get_organization_users_response_spec.rb
+- kinde_api/spec/models/organization_user_role_permissions_permissions_spec.rb
+- kinde_api/spec/models/error_spec.rb
+- kinde_api/spec/models/create_role_request_spec.rb
+- kinde_api/spec/models/update_user_response_spec.rb
 - kinde_api/spec/models/add_organization_users_request_users_inner_spec.rb
-- kinde_api/spec/models/user_profile_v2_spec.rb
+- kinde_api/spec/models/replace_logout_redirect_urls_request_spec.rb
+- kinde_api/spec/models/user_spec.rb
+- kinde_api/spec/models/create_application_response_spec.rb
+- kinde_api/spec/models/create_organization_response_spec.rb
 - kinde_api/spec/models/get_subscribers_response_spec.rb
-- kinde_api/spec/models/token_introspect_spec.rb
+- kinde_api/spec/models/get_application_response_spec.rb
+- kinde_api/spec/models/applications_spec.rb
+- kinde_api/spec/models/update_role_permissions_response_spec.rb
+- kinde_api/spec/models/update_api_applications_request_spec.rb
+- kinde_api/spec/models/create_organization_request_spec.rb
+- kinde_api/spec/models/api_applications_inner_spec.rb
+- kinde_api/spec/models/update_organization_users_request_users_inner_spec.rb
+- kinde_api/spec/models/user_profile_spec.rb
+- kinde_api/spec/models/users_response_users_inner_spec.rb
+- kinde_api/spec/models/create_subscriber_success_response_spec.rb
+- kinde_api/spec/models/create_subscriber_success_response_subscriber_spec.rb
+- kinde_api/spec/models/user_identity_result_spec.rb
+- kinde_api/spec/models/get_roles_response_spec.rb
+- kinde_api/spec/models/create_user_request_spec.rb
+- kinde_api/spec/models/update_organization_request_spec.rb
+- kinde_api/spec/models/get_organizations_user_roles_response_spec.rb
+- kinde_api/spec/models/user_identities_inner_spec.rb
+- kinde_api/spec/models/add_organization_users_request_spec.rb
 - kinde_api/spec/spec_helper.rb